web.xml
在/WEB-INF/web.xml里添加下面代码
<listener>
<listener-class>org.apache.shiro.web.env.EnvironmentLoaderListener</listener-class>
</listener>
<filter>
<filter-name>ShiroFilter</filter-name>
<filter-class>org.apache.shiro.web.servlet.ShiroFilter</filter-class>
<init-param>
<param-name>configPath</param-name>
<param-value>/WEB-INF/Shiro.ini</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>ShiroFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
<dispatcher>INCLUDE</dispatcher>
<dispatcher>ERROR</dispatcher>
</filter-mapping>
shiro.ini
上面的 param-value 里面的参数就是写这个文件的路径我放在/WEB-INF/下面,所以就是/WEB-INF/Shiro.ini,如果是放在resources下面,那么就是classpath:Shiro.ini
[main]
authc.loginUrl=/login
#unauthorizedUrl认证未通过
roles.unauthorizedUrl=/unauthorized.jsp
perms.unauthorizedUrl=/unauthorized.jsp
[users]
java1234=123456,admin
jack=123,teacher
marry=123
json=345
[roles]
admin=user:*, studnet:*
teacher=student:*
[urls]
#anno 可以匿名访问
/login=anon
/admin=authc
/student=roles[teacher]
/teacher=perms["user:create"]
[main]
/login=anon,可以匿名访问
/admin=authc,必须登录才能访问
authc.loginUrl=/login,访问必需登录才能访问的url,自动跳转至登录页面
roles.unauthorizedUrl=/unauthorized.jsp,角色认证不通过,也就是说当前登录的这个账号的角色,并不能访问这个url时跳转的页面
perms.unauthorizedUrl=/unauthorized.jsp,权限不足,也就是说当前登录这个账号的角色拥有的权限,不足以访问这个url时,跳转的页面
[users]
java1234=123456,admin,用户名=密码,角色
[roles]
角色拥有的权限
admin=user:*, studnet:*,admin角色拥有的权限
[urls]
/login=anon,匿名可以访问
/admin=authc,必须登录之后才能访问
/student=roles[teacher],登录之后的账号的角色,必须是teacher,才能访问
/teacher=perms[“user:create”],登录之后的账号的角色,必须拥有"user:create"权限,才能访问
login.jsp
编写一个登陆的jsp页面
<%@ page language="java" contentType="text/html; charset=UTF-8"
pageEncoding="UTF-8"%>
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>Insert title here</title>
</head>
<body>
<form action="/login" method="post">
用户名:<input type="text" name="username"/><br>
密码:<input type="password" name="password"/><br>
<input type="submit" value="登录">
</form>
</body>
</html>
loginServlet
提交登录的处理方式
@WebServlet("/login")
public class LoginServlet extends HttpServlet {
@Override
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
System.out.println("login doGet");
req.getRequestDispatcher("/login.jsp").forward(req, resp);
}
@Override
protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
System.out.println("login doPost");
String username = req.getParameter("username");
String password = req.getParameter("password");
// 使用Shiro
Subject subject = SecurityUtils.getSubject(); //主体,当前用户
UsernamePasswordToken token = new UsernamePasswordToken(username, password); //当前用户登录的令牌(用户名和密码)
try {
subject.login(token); //进行登录方法验证,成功继续执行,不成功抛出异常
resp.sendRedirect("success.jsp");
} catch (AuthenticationException e) {
e.printStackTrace();
req.setAttribute("errorInfo", "用户名或者密码错误");
req.getRequestDispatcher("/login.jsp").forward(req, resp);
}
}
}